About Me

Thursday, April 26, 2018

UK attack on Belgian telecom used Daddy NSA technology. UK spy agency GCHQ frequently hacks governments and businesses from countries including Russia, North Korea, UAE, Iran, Turkey, and Belgium. UK never admits hacking and 'gets away with it' because of its sick relationship with the deeply corrupt US political class-The Intercept, 2/17/18

As The Intercept reported in 2014, the hack turned out to have beenperpetrated by UK surveillance agency Government Communications Headquarters, better known
as GCHQ.The British spies hacked into Belgacom employees’ computers
and then penetrated the company’s internal systems. In an eavesdropping
mission called “Operation Socialist,” GCHQ planted bugsinside the most
sensitive parts of Belgacom’s networks and tapped into communications
processed by the company.

The covert operation was the first documented example of a European
Union member state hacking the critical infrastructure of another. The
malware infection triggered a massive cleanup operation within Belgacom,
which has since renamed itself Proximus. The company –of which the
Belgian government is the majority owner – was forced to replace
thousands of its computers at a cost of several million euros. Elio di
Rupo, Belgium’s then-prime minister, was furious, calling the hack a
“violation.” Meanwhile, one of the country’s top federal prosecutors opened a criminal investigation into the intrusion.

but no details about its activities have been made public. Now,
following interviews with five sources close to the case, The Intercept –
in collaboration with Dutch newspaper de Volkskrant
– has gained insight into the probe and uncovered new information about
the scope of the hack. The sources, who are subject to confidentiality
agreements and not authorized to talk to the media, spoke on the
condition of anonymity. Their accounts reveal an extraordinary
investigation that was hinderedfrom the outset by political,
diplomatic, technical, and legal difficulties.

The Belgacom breach sparked outrage in Europe’s political
institutions and made global headlines. But Belgium’s effort to identify
the spies responsible and hold them accountable faced roadblocks at
almost every turn. Europol, the European Union’s law enforcement agency,
refused to assist. Prosecutors overseeing the case feared triggering a
major diplomatic dispute and were reluctant to pursue it aggressively. Meanwhile,

“We wanted to show that as a small country, we would not be bullied,”
said a source close to the investigation.“But we were fighting against
two big cyberarmies from the U.K.and the U.S.We knew we could never
win this.”

At first, it was not clear how severely Belgacom’s systems
were compromised or who was responsible for the breach. Inside a
grayish, four-story office building on Lebeau Street in Brussels, one of
the company’s email servers kept malfunctioning. The problem, first
identified in the summer of 2012, was assumed then to be a routine
technical fault. But about a year later – in June 2013 – the issue
flared up again, and Belgacom’s security experts realized there was a
more sinister explanation: The company’s systems had been hacked.

Belgacom notified the authorities that it had been targeted, and in
July 2013, filed a formal complaintwith a federal prosecutor. The
complaint triggered a major investigation that was code-named “Trinity,”
led by a group that included members of Belgium’s federal police,
domestic secret service, military intelligence, and a specialist unit
known as a Computer Emergency Response Team. Belgacom also recruited
help in the form of Netherlands-based cybersecurity firm Fox-IT; it
called in the U.S. technology company Cisco to assess the damage, as
well.

The malware that had infected Belgacom’s systems was disguised as
legitimate Microsoft software, the investigators found. It was secretly
collecting data from the company’s networks before storing it in
compressed containers with several layers of encryption. Assessing the
extent of the damage was no easy task.

The Belgians could not completely
decrypt the files and were therefore unable to identify exactly what
had been takenfrom Belgacom’s computers.

The hackers were retrieving the stolen information from Belgacom’s
systems during business hours, masking their activity within the normal
flows of data passing to and from the company’s networks. But in late
August 2013, the malware suddenly began deleting itself, vanishing in
minutes from Belgacom’s infected computers. “The attackers knew they’d
been discovered,” said a security expert who worked on the case. “They
pushed a button to destroy the malware.”

Luckily, the investigators had already made copies of the bug. They
followed the digital evidence, forensically analyzing it for clues. They
found that the stolen data had been sent out of Belgacom’s systems to a
network of servers seemingly operated by the hackers.

They identified
the servers by tracing IP addresses – a series of numbers assigned to
computers when they connect to the internet – to countries including
India, the Netherlands, Indonesia, and Romania.

The hackers had rented the servers from private companies operating
in each of these countries. Belgian police contacted the companies and
asked them to turn over any information they had about the customers who
had purchased the servers. The companies complied, providing the police
with names, addresses, and payment records. The police now had a list
of people they believed could be responsible for the hack. But that’s
where the trail began to go cold.

The addresses were for people who appeared to live in Germany and
Denmark. Belgian federal police officers reached out to their
counterparts in these countries, sharing the details about their
suspects. But there were no records of anyone with the suspects’ names
having lived at the addresses. In Germany, the address the hackers had
used turned out to be a theater. It quickly became obvious to the
investigators that the information was fraudulent.

Their prime suspects
were people who did not exist.

“There was nothing there – just ghosts,” said a source close to the investigation. “They are spies. They put up smokescreens.”

One detail would later take on significance, however. The servers had
in some cases been purchased with payment cards that appeared to have
been issued to people based in the U.K.In June 2013, shortly before the discovery of the intrusion at
Belgacom, journalists began publishing documents leaked by National
Security Agency whistleblower Edward Snowden. The documents exposed
controversial mass surveillance programs operated by the NSA [ie US taxpayers] and its
British counterpart, GCHQ.

Some of the Belgacom investigators initially suspected that the NSA
was involved in the hack, partly due to the complexity of the malware.
It bore similarities to Stuxnet and Flame, U.S.-created digital viruses
designed to sabotage and collect intelligence about Iran’s uranium
enrichment program. “This was by far the most sophisticated malware I’ve
ever seen,” recalled Frank Groenewegen, a researcher who analyzed
Belgacom’s infected systems for the cybersecurity firm Fox-IT.

It was not until September 2013 that the Belgians would learn the
truth: The Belgacom intrusion had in fact been carried out by another of
their close allies, the British.Documents from Snowden, publishedthat
month by Der Spiegel,
showed thata GCHQ unitcalled the Network Analysis Centrehad hacked
into the computers of three Belgacom engineers who had access to
sensitive parts of the company’s systems.

When the details about the hack went public, Belgacom tried to play down the extent of the breach.

The company circulated a press release
insisting there was “no indication of any impact” for its customers and
their data. But the reassurance turned out to be false. As The
Intercept revealed in December 2014, the most sensitive parts of Belgacom’s networks were
compromised in stages between January and December 2011.

After
installing malware on the engineers’ computers by luring them to a fake
version of the LinkedIn website, GCHQ was able to steal their keys to
the secure parts of Belgacom’s networks and begin monitoring the data
flowing across them. The agency [GCHQ] boasted in classified reports that the
operation was “hugely successful.” It gained access to Belgacom “both
deep into the network and at the edge of the network” and hacked into
data links carrying information over a protocol known as GPRS, which
handles cellphone internet browsing sessions and multimedia messages.

The British spies appear to have targeted Belgacom due to its role as
one of Europe’s most important telecommunications hubs. Through a
subsidiary company called Belgacom International Carrier Services, it
maintains data links across the continent and also processes phone calls
and emails passing to and from the Middle East, North Africa, and South
America.But tapping into a broad range of global communications is
only one possible motive. GCHQ may also have sought access to Belgacom’s
networks to snoop on NATO and key European institutions, such as the
European Commission, the European Parliament, and the European Council.
All of those organizations have large offices and thousands of employees
in Belgium. And all were Belgacom customers at the time of the
intrusion.

Over the last decade [2008-2018], as the internet and smartphone use have boomed,GCHQ has increasingly turned to hackingto collect intelligence on
matters related to economics, geopolitics, and security. Aside from
Belgacom, the agency has broken into the computer systems of the oil
production organization OPEC; the Netherlands-based security company
Gemalto; and organizations that process international cellphone billing
records, including Switzerland’s Comfone. The agency [GCHQ] has also hacked
several governments and companies from countries including

according to previously
undisclosed lists of some of its targets, contained in the archive of
classified documents that The Intercept obtained from Snowden.

The hacking attacks are among GCHQ’s most sensitive and risky
operations, mainly because the method is not as discreet as more
traditional forms of electronic surveillance, like monitoring a phone
line. Challenges the agency faces during its computer intrusions include
“avoiding detection by [the] target or another agency” and “remaining
within the law,” according to a previously undisclosed top-secret GCHQ document
from the Snowden archive. All of GCHQ’s hacking activities “must be
U.K. deniable,” the document says, meaning it should be impossible for
those targeted by the hacks to trace them back to GCHQ’s computers. The
agency’s hackers use what they call “intermediary machines” and “covert
infrastructure”to disguise themselves before they steal information
from hacked computers or phones.

In the Belgacom case, these protections failed and GCHQ’s biggest
fear was realized. Its operation was discovered and its identity as the
perpetrator was publicly exposed. For the authorities in Belgium,
however, seeking justice for the damage that the agency causedstill
proved a remarkable challenge.

As news organizations began publishing the Snowden documents
in 2013, the Belgians studied them with interest. The classified files
revealed details about the planning and execution of the hack [by GCHQ]. But
because the documents appeared in the press, were partly redacted, and
had not been handed straight to the police, the law enforcement
officials overseeing the criminal investigation did not consider them
direct evidence, though they did enter the documents into their case
file.

According to a source close to the investigation, there were informal
discussions over whether it would be possible to ask Snowden to testify
as a witness in the case, so he could verify the documents and
potentially provide his own statement about the hack of Belgacom.
However, senior prosecutor Frederic Van Leeuw poured cold water on the
idea, on the grounds that it would be too damaging diplomatically.
Snowden was in Russia, where he had sought asylum, and interviewing him
could upset the U.S., a powerful ally of the Belgian government. At the
time, there were rising concerns about the movement of potential
Islamist terrorists in Europe. The Belgians needed U.S. assistance in
tracking that threat and feared any move that could jeopardize the
cooperation. (A spokesperson for Van Leeuw declined to comment for this
story.)"...

(continuing); "The investigators knew the U.K. was responsible for the hack. But
they wanted to build their own case, based on their own sources, that
nailed GCHQ as the perpetrator. Some of the forensic evidence they had
obtained from Belgacom’s systems pointed toward the U.K., but it was not
conclusive and could still be denied.There were the payments they had been able to trace to the U.K., but
those turned out to have been made using pre-paid credit cards that were
obtained anonymously – in the Kent area of England and elsewhere – and
not linked directly to GCHQ. The investigators also found the names
“Daredevil” and “Warriorpride”embedded within the code of the malware
that had infected Belgacom’s systems.

These are the names of ahacking
tool used by GCHQ and NSA, according to the Snowden documents,
and their discovery within Belgacom was as close as the investigators
got to a smoking gun. But the Belgians felt these details were still too
circumstantial. They needed more.

In late 2013, Belgian police decided to approach the European Union’s
law enforcement agency, Europol, for assistance. Europol helps E.U.
member states fight terrorism and serious crime. It has a specialist
unit called the European Cybercrime Centre, whose mandate is to
“strengthen the law enforcement response to cybercrime in the E.U.” The
Belgians hoped the unit would help them gather more evidence about the
hack.

However, Europol wanted nothing to do with the investigation and
refused to assist, according to two sources familiar with the
interaction. Europol asserted that it would not carry out investigations
into other European Union member states – in this case, the U.K. The
Belgians were frustrated and believed Europol had stonewalled them for
political reasons; they noted with suspicion that the organization was
led by Rob Wainwright, who is British.

Jan Op Gen Oorth, a spokesperson for Europol, told The Intercept in
an email that regulations restricted the organization to “investigating
acts affecting two or more EU Member States, involving serious and
organized crime and terrorist actors only.” Questioned on which
regulations he meant, Op Gen Oorth pointed to a policy
that did not exist at the time the Belgians asked for assistance with
the hack of Belgacom. (The policy was in fact brought into force in May
2017; it states that Europol is empowered to investigate hacks “of
suspected criminal origin,” but says nothing about hacks perpetrated by
governments.)At every turn in the case, the Belgian investigators encountered a
dead end. They knew that even if they identified specific GCHQ personnel
responsible for the hack, they would likely never be able to arrest or
extradite them from the U.K. It might have been possible to place the
names of particular GCHQ employees on a watch list, and if they ever
traveled to Belgium, police could detain and interrogate them. But that
would pose its own set of problems. Arresting a British spy would
trigger a massive public dispute with the U.K. and there was
insufficient political appetite for such a showdown.As such, the
Belgian Trinity investigation came to be viewed as little more than
symbolic in value.

“We could see GCHQ was behind it,but we knew it was never going to
go to court,” said a source close to the case. “But still, we wanted to
gather information and make it known to the world that in Belgium if you
try to hack our national telecoms we won’t look away, we will
investigate.”

The British government has never publicly acknowledged any
role in the Belgacom hack. GCHQ declined to answer questions for this
story and instead issued a statement asserting that its work is carried
out “in accordance with a strict legal and policy framework, which
ensures that our activities are authorised, necessary and
proportionate.” Any GCHQ hack that targets foreign organizations must be
approved at a senior level within the agency, and particularly
sensitive operations sometimes require the sign-off of the government’s
foreign secretary, who at the time of the Belgacom intrusion was William
Hague. A spokesperson for Hague refused to discuss the case, saying he
would not comment on “national intelligence matters.”

In the aftermath of the incident, it is likely that the Belgian
government lodged diplomatic protests with its British counterparts.
According to U.K. government records
obtained by The Intercept through the Freedom of Information Act,
British officials held a series of meetings with Belgian government
representatives after the Belgacom intrusion was publicly exposed. In
October 2013, for instance, foreign secretaries of each country and
senior diplomats attended a two day “Belgian-British conference” at
Lancaster House in London’s West End. Two weeks later, the British
ambassador to Belgium met in Brussels with Johan Delmulle, a top Belgian
federal prosecutor, who was overseeing the Belgacom investigation at
the time.

Even within the Belgian government and law enforcement community,
however, there was a lack of clarity about how the case was being
handled.The country’s law enforcement personnel were not informed about
whether a diplomatic dialogue was underway with the British. Meanwhile,
Alexander De Croo, the Belgian government minister responsible for
telecoms services, appears to have been kept in the dark about the
incident. During a January 2016 talk at the World Economic Forum in
Davos, Switzerland, De Croo made the extraordinary suggestion that his
own [Belgian] government might even have secretly allowed the British to go ahead
with the hack.

“The whole question is: Did we agree or not,” De Croo said. “I am not
the Minister of Justice so I don’t get access to everything .… It might
very well be that the Belgian intelligence services said, ‘Yes please
go ahead, why not?’”

De Croo declined to be interviewed for this story. Belgium’s Ministry
of Justice and intelligence services refused to discuss De Croo’s
comments, citing an ongoing investigation.The police file on the Belgacom hack numbers thousands of
pages and is expected to be handed over soon to the prosecutor now
overseeing the case. That prosecutor, Geert Schoorens, will decide what
to do next, including whether to charge anyone over the breach.

Despite the political uproar the incident triggered in 2013, it is
unlikely that any action will be taken.

That GCHQ was responsible is
beyond doubt, but the agency will face no consequences, say sources with
knowledge of the case.

There will be no sanctions for the U.K., no
compensation to cover the damage caused, no arrests, no interrogations,
no apology, and no admission of guilt. Rather, Schoorens will turn over a
report to the Belgian parliament and the investigation will be quietly
closed.

Despite this, the hack has had a palpable impact in Belgium. Belgacom
– or Proximus, as it is now known – committed to spend more than $55
million to reform its internal security procedures. The company created a
cyberdefense unit and recruited “ethical hackers” who routinely try to
break into its networks, which helps identify and fix any potential
vulnerabilities. It has also trained its employees in how to spot
potential hacking attempts, introduced new systems that constantly
monitor activity within its internal networks, and reduced the number of
its computers that have access to sensitive parts of its systems.

The Belgian authorities, too, were forced to embrace changes after
the breach. The criminal investigation brought the country’s law
enforcement and secret services closer together, and now the agencies
are more cooperative on cybersecurity issues. For them, GCHQ's actions were a rude awakening – and the sign of a looming new threat, for which
they are now preparing. “In the next few years, this malware is going to
be in the hands of criminals and terrorists,” said a source close to
the investigation. “Belgacom was a learning curve. We learned how to
respond to a crisis before the next crisis.”"
———Documents published with this article: